On 03/06/2009, at 9:17 AM, Peter Saint-Andre wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 6/2/09 3:49 PM, Dave Cridland wrote:
On Tue Jun 2 21:43:00 2009, Peter Saint-Andre wrote:
Thanks for the clarification. Personally I'd love to have key-
login to
XMPP servers (and HTTP servers!)
Pick the right client and server, and you can do this already, albeit
with X.509 rather than PGP.
Problem is, how many people have PGP keys or X.509 certs? Even the
security geeks on this list don't seem to use such technologies!
We solved a similar problem with CipherIM in '99 by creating an RSA/
DSA key pair during installation, using a password strength test
algorithm, then using the result to create conversation level session
keys once an SSL connection was up end to end.(client-server-client).
It all worked well, even our DSD contact here liked the end result, so
much so we had to get a cypto export license.
Maybe the spec would allow ISV's to create an X.509 certificate at
install time, on demand or use a supplied one from a CA.
The security is then as strong as the end user can be bothered to put
in place.
so that we could move beyond passwords
for authentication.
To be fair, that needs smart cards. (Unless you ignore the passphrase
needed somewhere).
I meant that passwords need not be exchange over the wire if you're
doing SASL EXTERNAL.
Peter
- --
Peter Saint-Andre
https://stpeter.im/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkolsxUACgkQNL8k5A2w/vwDgQCffO5X1JDNnO/OEBGtHr37F7fc
k5MAoPVo07w6FX3coFSwPOQfOx8aXg64
=BNbg
-----END PGP SIGNATURE-----
--------------------------------------------------------------------------------------------------------
Email Filtering by Cleartext a Carbon Minimised company - www.cleartext.com
--------------------------------------------------------------------------------------------------------
